The Math Behind Elliptic Curves over Binary Field

Post navigation

In the previous post, we’ve mention the math behind addition law for elliptic curves over Galois Field GF(p) – prime field. Now, math behind elliptic curves over Galois Field GF(2n) – binary field would be mentioned. In literature, elliptic curves over GF(2n) are more common than GF(p) because of their adaptability into the computer hardware implementations. These type of curves are also called as Koblitz curves.

Elliptic Curves over GF(2n)

Algebraically, an elliptic curve over binary field is represented as the following form:

y2 + xy = x3 + ax2 + b, (b≠0)

Negative Point

Suppose that P(x, y) is a point on the curve. The negative of the point P(x, y) is -P(x, -(x+y)), and -P is still on the curve.

Also, the point -R(x3, -(x3+y3)) has to be located on the linear line y = ß.x + µ.

-(x3+y3) = ß.x3 + µ

Put the obtained µ the equation above

-(x3+y3) = ß.x3 + y1 – ß.x1

-x3 – y3 = ß.x3 + y1 – ß.x1

y3 = ß.x1 -x3 – ß.x3 – y1

y3 = ß(x1 – x3) – x3 – y1 [Eq. 3]

To sum up, addition of two point P(x1, y1) and Q(x2, y2) on the elliptic curve form y2 + xy = x3 + ax2 + b is another point on the curve which is labeled R(x3, y2) and could be computed by the following formulas.

P(x1, y1) + Q(x2, y2) = R(x3, y3)

ß = (y1-y2)/(x1-x2)

x3 = ß2 + ß – x1 – x2 – a

y3 = ß(x1 – x3) – x3 – y1

Doubling a point

Similarly, doubling a point on an elliptic curve is implemented by following principles.

The red line is tangential to the elliptic curve at the point labeled P(x1, y1). The slope of the tangent line is equal to the derivative of the elliptic curve function at the point labeled P(x1, y1).

(y2 + xy)’ = (x3 + ax2 + b)’

2y.dy + y.dx + x.dy = 3x2.dx + 2.a.x.dx

2y.dy + x.dy = 3x2.dx + 2.a.x.dx – y.dx

dy(2y + x) = dx(3x2 + 2.a.x – y)

ß = dy/dx = (3x2 + 2.a.x – y)/(2y + x)

We’ve known x1, y1 pairs are on the line. Let’s put the pairs into the slope formula.

ß = (3.(x1)2 + 2.a.x1 – y1)/(2y1 + x1)

Doubling a point on an elliptic curve over GF(2n) could be computed by the following formulas.

P(x1, y1) + P(x1, y1) = 2P(x2, y2)

ß = (3.(x1)2 + 2.a.x1 – y1)/(2y1 + x1)

x2 = ß2 + ß – 2.x1 – a

y2 = ß(x1 – x2) – x2 – y1

As metioned before, this type of elliptic curves are mostly used in cryptographic hardware implementations because of their speed and adaptability.